What are the currently available anti-executable options?

Discussion in 'other anti-malware software' started by NoHolyGrail, Dec 24, 2014.

  1. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    VoodooShield does look ideal. I'm going to give this a try.
     
  2. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    I was actually wondering about that; what is the distinction between HIPS and AE? Is AE a subset of HIPS? Do all HIPS include AE functionality? I'd been using OA primarily for its AE feature.
     
  3. 142395

    142395 Guest

    AE can be said as subset of HIPS though some AE have additional function which may not be in HIPS. HIPS can restrict progrmas even after you allow its execution in various ways, such as forbidding global hook, manipulating other process, or any other potential dangerous activity. I don't know all HIPS can be used as AE, but most can.

    Enable Advanced Mode (paid only), disable automatic features (see this) if you don't want it to allow programs that is not known bad, then configure each browser, pdf reader, office programs, plugin processes, or if you have, ftp client software or all other potentially exploitable software (right click each exe in Programs tab) and change "start applications" permission to "ask". You'll be notified when they attempt to spawn new process, so if it is legitimate one then allow only it. You'll be also prompted when unwhitelisted program try to run on your system.

    Some caveats: You can't remove all automatic decision by OA as long as browser or other programs are set to be trusted program. However, untrust those can cause issue and I don't recommend it. Even in trusted condition, OA still asks some activity if you set that permission to "ask", IIRC maybe "start applications", "set global hooks", and "enumerate files"...not sure as currently I don't have OA installed.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,730
    Location:
    The Netherlands
    AE are most of the time more easy to use, since they are specialized in white-listing. Not all HIPS offer AE, but if they do, the white-listing part is a bit less easy to manage, but they are often more strict when monitoring parent-child processes. This can be good for security but is sometimes also annoying. My experience is based on EXE Radar and System Safety Monitor.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What I did when I ran OA, is based on the Appguard assumption that malware downloads to a user area, not the system areas, I exclude Windows Program Files and Program files x86. Then OA only alerted me to something new. Effect was whitelisting.

    Pete
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    With all of the discussion about controlling what malware does when it gets onto a system, we tend to forget about controlling the entry points that allow the malware in the first place.

    Here are four vulnerable entry points:
    • firewall (eg: Conficker.A via port 445)
    • browser
    • email attachments
    • USB
    When you think about it, proper configuration of the above and correct decisions (eg: regarding email attachments) would take care of a lot!

    Whether or not people do this is beside the point: protective methods are available.

    Even the so-called fileless malware so far have used the same entry points:
    • a browser plug-in vulnerability
    • a specific IE vulnerability
    • email attachment trickery (MS Office Document)
    When you think about it, is there any difference whether a piece of malware writes to memory, or writes to disk? Malware has to gain access through an entry point.

    Although I have an AE installed, in the almost ten years I've used it, it has never alerted to anything (except when I've intentionally gone to a booby-trapped web site to test a remote controlled execution exploit.)

    While such protection (and the newer anti-exploit software) are a nice addition to one's security, more consideration of protecting the entry points would help reduce the number of infections more than anything.


    ----
    rich
     
    Last edited: Dec 29, 2014
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Rich makes a lot of valid points there. I didn't want to quote the whole thing and take up unnecessary space. But yes, we definitely have to take a look at all of the different avenues for attack vectors to occur in the first place. I'm sure the majority of us here at Wilders have most of that covered, but sadly the greater majority of everyday casual users are often far behind on security updates (if not turned off completely) nor have the proper knowledge (or desire) to make the appropriate decisions. It's no wonder there's so many botnets and such. I wish that there was an easier way to reach out to that greater majority of casual users, but I suppose it doesn't help if people don't want to listen or take the time to learn on their own.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Let's take the recent Angler Exploit Kit fileless exploit as an example:

    Digging deep into Angler Fileless Exploit delivery
    October 1, 2014
    https://hiddencodes.wordpress.com/2014/10/01/digging-deep-into-angler-fileless-exploit-delivery-2/
    The CVE is from last year, and Microsoft issued a patch in May, 2013:

    MS13-037 Cumulative Security Update for Internet Explorer ( 2829530 )
    May 14, 2013
    https://technet.microsoft.com/en-us/library/security/ms13-may.aspx
    At that time, no exploits in the wild had been reported.

    I used to advocate that each Wilders member take someone under her/his wing, so to speak, and teach basic computer security. Every little bit would help.


    ----
    rich
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    I have my person, and it is someone willing to learn and adapt. They have not been infected since we started. Initially it was SBIE, but now that they need to occasionally operate in a coffee shop, with business data, we went full armor on. it is working.

    Pete
     
  10. I agree with Rich, focus on threat gates (for me browser, email and media player) and autoruns plus limit access to shell/script has done the trick for the last 5 years.
     
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,361
    APS from Hauri.

    It can be considered an anti-executable though its also an anti-exploit as well.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.